How does a spammer hide the destination address?

[Richard Pieri]

Spammers these days don't hide anything.  They don't need to because their spam isn't coming from their own systems.  It comes from thousands of "bots", compromised computers, around the world.  That's why you can see thirty copies of the same message, each with unique envelope and headers.  So, really, it's practically impossible to maintain lists of bad sending hosts.  There are just too damned many of them out there -- maybe even some on your own network.

There is a flaw to this type of carpet bombing.  Spambots don't queue and retry temporary failures.  They can't.  They'd choke themselves if they tried.  Instead, they just drop messages that can't be delivered.  This leads to a technique called greylisting.  In a nutshell, a greylist filter maintains a list of source IPs for incoming SMTP connections.  If a new IP is detected then the filter generates a 4xx temporary failure code and then that IP is logged in a database.  Legitimate MTAs will try again.  The filter will see the same source IP and let the retry through.  Spambots never retry so the spam never gets delivered.

Greylisting stops between 50% and 90% of the incoming spam that I see.  The rest is so obviously spam that even the simplest adaptive filters can detect and trash it.  More here:

http://en.wikipedia.org/wiki/Greylisting

--Rich P.